一.实验概述 实验目的: 1/开机零配置中性企业网络骨干架构。 2/部署出口防火墙HA(Active/Standby)并验证测试。 3/部署双出口自动冗余切换并验证测试。 实验材料: EVE-NG ,ASAv(v9.8) ,路由器,L3交换机。 实验前提 此次实验防火墙为routed模式,并且为single模式
实验拓扑:
拓扑说明: 1/名称说明: Net云为通EVE-NG模拟器主机桥接的NAT网卡,负责该网络拓扑向外通信;ISP指代为运营商设备,BSW为边界交换机用于透传vlan和扩展接口,ASA为出口防火墙,CSW为核心交换机,ASW为介入交换机,DMZSW为DMZ网关交换机。 2/网段说明: ISP1:100.100.100.x/30 ISP2:200.200.200.x/30 DMZ PAT地址为100.100.101.x/24 ,核心上联网段为10.10.10.x/24 ,核心下联网段为10.10.20.0/24和10.10.21.0/24,用户端为10.10.30.0/24,DMZ上联网段为172.16.10.0/24 ,服务器网段为172.16.20.0/24 3/关键功能点说明 ①出口双线冗余自动切换,采用静态浮动路由的方式(默认ISP1为主)。 ②防火墙双击冗余,采用failover Active/Standby 机制(默认ASA-A为主)。 ③关键难点,在防火墙配置了AS模式后,主备防火墙配置是一模一样的,包括接口配置/路由配置/ACL/NAT等基础策略,当主防火墙在故障(宕机或者监控接口down )在切换到备墙后上下联设备配置如何自动适应墙的主备切换。上联防火墙通过交换机vlan将2个墙的出口和对应线路的ISP网关组到了一个广播域中,无论是哪台墙工作都可以自动通ISP网关自适应,另外ISP提供的IP是极其有限的,我们不能在上联进行HSRP这样的冗余切换配置,只能是通过二层vlan通ISP网关打通(土豪无所谓)。对于下联我们就可以用HSRP的方式实现通墙切换的联动。注意这里有个小细节因为防火墙上联至二层和ISP 网关打通的所以切换过程中不涉及路由的切换,而下联是通过三层联动,这里会涉及路由的切换,如果同样也在墙中启用了动态路由协议那就不用考虑这个问题,但大多数情况下生产环境墙内是不会去跑路由协议的(墙主要职能是安全规则不是控制路由,静态完全游刃有余,而且清晰明了)。从核心层到用户网关层之间我们启用OSFP,核心到上联使用静态路由,所以这里上联的静态路由也需要加track,否则即使防火墙从A切换到B核心层上来的路由依旧会在CSW-1,然后再转发到CSW-2,在CSW-1静态路由中加入track ,引入OSPF时不添加always 参数,当ASA-A异常切换到ASA-B时,CSW-1中的track被触发,静态路由消失,CSW-1的OSPF中就不会向下发布默认路由,而CSW-2中的静态路由和CSW-1中的时一样的加track和相同的OSPF路由引入配置,这样就不会存在墙且到备以后,路由的横向折返,直接有主防火墙下联交换机下发默认路由,下联交换机直接转发数据包到对于的下一条。
二.设备核心配置
所有设备配置中均不包含二层/三层安全及调优/管理配置 ISP *
- interface Ethernet0/0 ip address dhcp ! interface Ethernet0/1 ip address 100.100.100.2 255.255.255.252 ! interface Ethernet0/2 ip address 200.200.200.2 255.255.255.252
ip route 100.100.101.0 255.255.255.0 100.100.100.1 ip route 200.200.201.0 255.255.255.0 200.200.200.1 //以上配置为ISP中配置,路由为DMZ中做PAT pool的public IP
BSW
interface Port-channel10 switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet0/0 switchport access vlan 100 switchport mode access media-type rj45 negotiation auto ! interface GigabitEthernet0/1 switchport access vlan 100 switchport mode access media-type rj45 negotiation auto ! interface GigabitEthernet0/2 switchport access vlan 200 switchport mode access media-type rj45 negotiation auto ! interface GigabitEthernet1/2 switchport trunk encapsulation dot1q switchport mode trunk media-type rj45 negotiation auto channel-group 10 mode active ! interface GigabitEthernet1/3 switchport trunk encapsulation dot1q switchport mode trunk media-type rj45 negotiation auto channel-group 10 mode active !
ASA-A
! failover failover lan unit primary failover lan interface Folink GigabitEthernet0/5 failover polltime unit 1 holdtime 5 failover polltime interface msec 500 holdtime 25 failover polltime link-state msec 500 failover standby config-lock failover link statelink GigabitEthernet0/6 failover interface ip Folink 2.2.2.1 255.255.255.252 standby 2.2.2.2 failover interface ip statelink 3.3.3.1 255.255.255.252 standby 3.3.3.2 failover ipsec pre-shared-key ***** !
interface GigabitEthernet0/0 nameif inside security-level 100 ip address 10.10.10.1 255.255.255.0 ! interface GigabitEthernet0/1 nameif outside1 security-level 0 ip address 100.100.100.1 255.255.255.252 ! interface GigabitEthernet0/2 nameif outside2 security-level 0 ip address 200.200.200.1 255.255.255.252 ! interface GigabitEthernet0/3 nameif DMZ security-level 80 ip address 172.16.10.1 255.255.255.252 ! interface GigabitEthernet0/5 description LAN Failover Interface ! interface GigabitEthernet0/6 description STATE Failover Interface !
! object network InUsers subnet 10.0.0.0 255.0.0.0 object network DMZ subnet 172.16.0.0 255.255.0.0 object network Pub_DMZ host 100.100.101.200 object service TCP_8080 service tcp destination eq 8080 object service TCP_80 service tcp destination eq www object network DMZ_172.16.20.200 host 172.16.20.200 access-list inside_in extended permit icmp any any access-list inside_in extended permit ip 10.0.0.0 255.0.0.0 any access-list outside1_in extended permit icmp any any access-list outside1_in extended permit ip any host 172.16.20.200 access-list outside2_in extended permit icmp any any access-list outside2_in extended permit ip any host 172.16.20.200 access-list dmz_in extended permit icmp any any access-list dmz_in extended permit ip object DMZ any nat (any,DMZ) source static any any destination static Pub_DMZ DMZ_172.16.20.200 service TCP_8080 TCP_80 nat (inside,outside1) source dynamic InUsers interface nat (DMZ,outside1) source dynamic DMZ interface nat (inside,outside2) source dynamic InUsers interface nat (DMZ,outside2) source dynamic DMZ interface access-group inside_in in interface inside access-group outside1_in in interface outside1 access-group outside2_in in interface outside2 access-group dmz_in in interface DMZ route outside1 0.0.0.0 0.0.0.0 100.100.100.2 1 track 1 route outside2 0.0.0.0 0.0.0.0 200.200.200.2 10 route inside 10.0.0.0 255.0.0.0 10.10.10.2 1 route DMZ 172.16.0.0 255.255.0.0 172.16.10.2 1 ! ! sla monitor 1 type echo protocol ipIcmpEcho 100.100.100.2 interface outside1 timeout 1000 sla monitor schedule 1 life forever start-time now ! ! track 1 rtr 1 reachability !
ASA-B中只有failover配置略有不同,其他配置全部同步子ASA-A完全一致。 failover failover lan unit secondary failover lan interface Folink GigabitEthernet0/5 failover polltime unit 1 holdtime 5 failover polltime interface msec 500 holdtime 25 failover polltime link-state msec 500 failover standby config-lock failover link statelink GigabitEthernet0/6 failover interface ip Folink 2.2.2.1 255.255.255.252 standby 2.2.2.2 failover interface ip statelink 3.3.3.1 255.255.255.252 standby 3.3.3.2 failover ipsec pre-shared-key *****
PS:在防火墙的部署中,在开机零配置的情况下最后保证2台设备完全一致,首先分别配置failover,之后所有配置只需在主墙中配置即可。
ASDM配置
CSW-1
! interface Port-channel10 switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet0/0 switchport access vlan 1000 switchport mode access media-type rj45 negotiation auto ! ! interface GigabitEthernet0/1 no switchport ip address 10.10.20.1 255.255.255.252 negotiation auto ! ! interface GigabitEthernet1/2 switchport trunk encapsulation dot1q switchport mode trunk media-type rj45 negotiation auto channel-group 10 mode on ! interface GigabitEthernet1/3 switchport trunk encapsulation dot1q switchport mode trunk media-type rj45 negotiation auto channel-group 10 mode on ! ! interface Vlan1000 ip address 10.10.10.3 255.255.255.0 standby 10 ip 10.10.10.2 standby 10 priority 200 standby 10 preempt standby 10 track 1 decrement 50 !
! router ospf 1 router-id 10.10.10.3 network 10.10.10.0 0.0.0.255 area 0 network 10.10.20.0 0.0.0.255 area 0 default-information originate metric-type 1 ! ! ip route 0.0.0.0 0.0.0.0 10.10.10.1 track 1 ! ! ip sla 1 icmp-echo 10.10.10.1 source-ip 10.10.10.3 frequency 5 ip sla schedule 1 life forever start-time now ! ! track 1 ip sla 1 reachability !
CSW-B
! interface Port-channel10 switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet0/0 switchport access vlan 1000 switchport mode access media-type rj45 negotiation auto !
! interface GigabitEthernet0/1 no switchport ip address 10.10.21.1 255.255.255.252 negotiation auto ! ! interface GigabitEthernet1/2 switchport trunk encapsulation dot1q switchport mode trunk media-type rj45 negotiation auto channel-group 10 mode on ! interface GigabitEthernet1/3 switchport trunk encapsulation dot1q switchport mode trunk media-type rj45 negotiation auto channel-group 10 mode on ! ! interface Vlan1000 ip address 10.10.10.4 255.255.255.0 standby 10 ip 10.10.10.2 standby 10 priority 180 !
! router ospf 1 router-id 10.10.10.4 network 10.10.10.0 0.0.0.255 area 0 network 10.10.21.0 0.0.0.255 area 0 default-information originate metric 1 metric-type 1 ! ! ip route 0.0.0.0 0.0.0.0 10.10.10.1 track 1 ! ! ip sla 1 icmp-echo 10.10.10.1 source-ip 10.10.10.4 frequency 5 ip sla schedule 1 life forever start-time now ! ! track 1 ip sla 1 reachability !
ASW-1
! ip dhcp pool users network 10.10.30.0 255.255.255.0 dns-server 223.5.5.5 114.114.114.114 default-router 10.10.30.254 ! ! interface GigabitEthernet0/2 switchport access vlan 30 switchport mode access media-type rj45 negotiation auto spanning-tree portfast edge ! ! interface GigabitEthernet0/0 no switchport ip address 10.10.20.2 255.255.255.252 negotiation auto ! interface GigabitEthernet0/1 no switchport ip address 10.10.21.2 255.255.255.252 negotiation auto ! ! router ospf 1 router-id 10.10.20.2 network 10.10.20.0 0.0.0.255 area 0 network 10.10.21.0 0.0.0.255 area 0 network 10.10.30.0 0.0.0.255 area 0 !
DMZSW-1
! interface GigabitEthernet0/0 switchport access vlan 10 switchport mode access media-type rj45 negotiation auto ! interface GigabitEthernet0/1 switchport access vlan 10 switchport mode access media-type rj45 negotiation auto ! interface GigabitEthernet0/2 switchport access vlan 20 switchport mode access media-type rj45 negotiation auto spanning-tree portfast edge ! ! interface Vlan10 ip address 172.16.10.2 255.255.255.252 ! interface Vlan20 ip address 172.16.20.254 255.255.255.0 !
! ip route 0.0.0.0 0.0.0.0 172.16.10.1 !
三.切换验证
1.出口切换
切换前:
再ISP中关闭线路1接口切换后:
在线路切换中正常业务丢包大约在4-8个包左右。
2.防火墙HA
切换前:
重启ASA-A切换后:
切换只丢1个包。
PS:这里在做验证的时候又发现了一个小问题,就是在已经做完上面线路出口切换的情况下不会退,再来进行HA的切换演练,会存在一个问题,但HA切换以后ASA-B中的默认路由依旧还是线路1的,而线路1在实验室已经down了,这就会导致切换后出现问题,解决办法就是清理路由表缓存 clear route all (或者指定下一条,生产中最后最小清除),这时候就会切换到线路2 ,同样在做线路切换模拟时,ASA-A 中的路由刷新等待时间时比较久的,这时候也可以手动刷新加快收敛速度。
四.遗留问题 1.上面虽然用手动刷新了路由表解决了这个缓存的问题,但在实际环境中这种切换时随机发生,我们不可能立马发现并受到刷新,所以如何避免因为路由缓存而影响HA切换故障时效时后面考虑的一个点。 2.在上面的拓扑中存在一个缺陷即核心时单上联防火墙,所以当主核心宕机而防火墙正常的情况下,数据是没有办法上行的,这里必须要进行双上联,否则双核心没有任何意义。 3.对于DMZ区域的NAT,在配置PAT的时候要注意PAT配置的顺序要优于DMZ NAT的顺序,否则PAT无法生效,具体参考另一篇文章https://blog.51cto.com/pinglife/2507602
由于时间有限,行文潦草,还缺少很多细节,后续再做完善。
